SCADA Systems a Target for Hackers? 189
superstick58 writes "As a system integrator, I am often providing control solutions that utilize sophisticated Ethernet networks and as they say in the biz 'link top floor to shop floor.' Forbes has an article about the security issues that exist in SCADA systems. When I look back at some of the systems I have put in which include direct I/O control over ethernet and distributed HMI monitoring, if I can get access from the internet, it would be easy to bring down power for a plant or at the very least make operators in the building very uncomfortable. How vulnerable are the manufacturing centers of the world?"
Re:My view.. (Score:5, Interesting)
SCADA Systems are designed to be Failsafe (Score:5, Interesting)
Generally, SCADA systems are not trusted. All systems have failsafe hardwired I/O that is designed to shutdown on failure. Unfortunately, the shutdowns can cost money.
I just got through getting a cell working after an extensive blast of repetitive downtime. I never did work out what exactly caused the failure, however high on my list of suspects is a router that may have been dropping packets due to excessive network load. When the router shutdown, the PLCs shutdown too. I'm just not clear on what caused all the excessive error packets on the network ... I have lots of theories, but no evidence.
These SCADA networks are designed to be operated in a fairly secure environment. They can't withstand errors or high network load. Botnet attacks, virus outbreaks, or someone hacking in can cause trouble. However, mostly I worry about much more mundane causes of downtime.
Microsoft Windows updates, particularly XP SP2, are notorious causes of SCADA system problems. Automatic installation of anti-virus software that triggers system reboots causes system to shutdown unexpectedly. Employees installing CPU-intensive screen-savers also cause headaches. Unexpected system changes result in unexpected system shutdowns. These unexpected shutdowns are what cause the economic disruptions.
Personally, I wonder how much longer we can deploy Microsoft Windows as a SCADA platform. Fast, simple and straightforward are key system goals for SCADA applications. Vista, which effectively requires networking, is a step in the wrong direction. Linux is much more secure, and can easily be set up with read-only partitions. Read-only memory seems to make the systems much more stable, as every reboot always reloads a secure, known-correct program image.
Wow, what an awesome opportunity for a shameless p (Score:1, Interesting)
Because the systems are what they are, we are protecting them by putting protective devices in front of them -- either sitting behind a device on the phone line or sitting behind a protective router. Then, the lack of security in SCADA devices will be largely irrelevant, since you can't hack a device you can't access. It would be a matter of hacking into our devices, which are designed with a bit more security in mind.
I dread the idea of seeing our company name showing up in some hacker conference, but I'm kinda eager for some black-hat-vs-white-hat action.
Re:Hacking SCADA makes sense (Score:4, Interesting)
What if you could easily reproduce the East Coast Blackout of 2003 at will?
Hacking SCADA systems can do that for you...
Heh... What I could tell people...
NT4? Luxury! (Score:1, Interesting)
We're running DOS here. Yes, DOS. Version 6.3, I think... I haven't really bothered to check.
It does make them hard to hack (or access...) remotely, though.
Re:Large scale SCADA often uses the internet (Score:5, Interesting)
Who knows why they thought this was necessary but, they did it anyway without much consultation with the IT department. [red flag #1]
They published their little website where you could check out the air conditioner status and temperature of the various parts of the building and view the webcam. To see the webcam you had to logon with a specific username/password combination which they announced to everybody via email. [red flag #2]
Curious, I checked out the site and looked around. I found that the webcam had a different URL than the rest of the site so, being curious, I shortened the URL down one level at a time and ended up at a system administration logon page. [bad sign #1]
Surely the username/password for the webcam wouldn't work there so I tried it and promptly logged onto the facility controls console. [bad sign #2]
Surely I would only have limited or read only access so I checked out some of the features and areas of the console. I was able to access everything from heating/cooling, water, lighting and the factory waste handling system controls. [very bad sign #3]
Again, surely I had read only access so I tested one of the settings for the air system in our area of the building. I incrimented the value by 1 and clicked "save". It accepted my change. I changed the value back to it's original setting and saved it again. [VERY bad sign #4]
At this point I notified my supervisor that there may be a problem and showed him what I was able to do with the username/password that everybody in the company now had. A hasty meeting was called that day with myself and the head of facility management. I told him what I had found and we had a meeting with the vendor who installed the systems the next day.
In between the meetings, I checked out some more features of the controller system and found that I could ssh into it with the same password and username. The system ran a very stripped down Linux kernel and only had a few applications but I was able to add or remove or edit files from any directory on the system. So basically, the webcam username/password was effectively root on the whole system.
The installer was a typical heating/cooling installer type of guy. [red flag #3]
Computers obviously weren't his area of expertise. I understand that the company has people who "should" know about these sort of security measures, their developers. Why they sent a mechanical type of guy when they were told what our concerns were, I don't know. [red flag #4]
The scary and probably typical reaction I got from the vendor's installer was that there wasn't much of a problem because nobody in the factory would surely think of shortening a URL and find the main systems control login. [big red flag #5]
I finally got my point across and the vendor agreed to work with their developers to figure out a more secure setup. Fortunately the facility manager fully understood the consequences and wouldn't accept the vendors attempts at suggesting that it wasn't an issue.
Most everybody would think that simply changing the password would do the trick but apparently their setup was hard coded to only accept the one username and password for the whole system! At least that's what we were told at our meeting. To access the published webcam that was tied into this mess, you had to use the same credentials, otherwise none of this little setup of theirs would work and the administrative console would loose it's ability to monitor and control the factory systems. Brilliant! Absolutely genious.
Well, at the end of it all, apparently their developers had some sort of actual CLU
Re:My view.. (Score:4, Interesting)
Easy as pie (Score:1, Interesting)
Or too impatient for that? Try attacking one of the wireless SCADA networks, yes, critical infrastructure like gas pipelines running over "wireless."
So far the biggest thing that has kept them secure is people in the mainstream hacking community simply haven't known they exist. But that's changed. Keeping SCADA systems seperate from "Corporate" systems isn't easy for most utilities as they simply don't have the money to invest in dual infrastructure, or they don't know what they're doing so don't, or management (as usual) as full of nitwits so wont trump up the cash...
DHS has a Control Systems Cyber Security program which may have interesting reading for the curious, also see INL labs which do a lot of work on hacking SCADA systems, and NIST has some big put-you-to-sleep style doco on standards around SCADA security.
Cheers
e
This has been done for years (Score:3, Interesting)
What kind of line speed does it take to say, control the dijkes. This is not the place to say _exactly_ how its done, but I'm not afraid of a break. Trains are the other extreme, you need a real computer. The embedded boxes that take the measurements are simple in design, a PIC or 1802, a world favourite in payphones.
Going on the net can't be all that bad, but as one writer noted, thoughtlessly designed systems lock out the rightful user. Of course, never run ssh on port 22 and if life is on the line, a telephone backup must be used. "Fuzzing" is over rated, sure it crashes poorly designed systems, but well designed systems would have to be flooded quite fast to prevent a 'distress signal'. (Upstream the networks are well monitored.) I will always remember the first security lesson from a German professor: Rule No.1 NO Microsoft products!
My biggest fear is the possibility (actually quite easy) of spoofing an IP of a rightful owner. These addresses must either be secrets or rotated often, preferably both. Still a dedicated network, where management can only look and then pick up the phone is almost mandatory if human life is at stake. True fast hopping radio can be most secure, stealth and 'unjamable'. Fibre is secure too.
It is rather remarkable with this publicly known for years and even popular music (figure out that yourself) telling how to do it, it hasn't been a problem. Broadcast and cable is totally vulnerable, though breaches rarely occur. It is rather commonplace to control a TV sender through a DTMF telephone: Would you know what to do if you got in? In a real war, things could go from bad to worse. Social engineering would be a primary tool. (Could anything be easier to social engineer than the military?) Loose lips do bad things. Its all about logic to do it right. Its scary to see sysadmins use Windows for stupid reasons like: "It works best on my laptop". Then don't use it for anything else!
It is so often when doing a security audit, you hear: "I let my kids play games and surf the web". On company computers that do important things. Damn. Don't use Windows and keep your computer to yourself.
BillSF
Don't hack the SCADA, hack the PLC (Score:1, Interesting)
A PLC is a (generally) unprotected, unencrypted proprietary ethernet connected box. The only protection is that it is proprietary, but that protection has been diminished now that most are connected to Ethernet.
The interlocks etc that people are talking about above often actually reside in the PLC. You don't need a password to manipulate the memory in a PLC. Just a write command using the standard protocol for the PLC will do it.
SCADA PLC Hardware
The major manufacturers have not bothered to protect access to their PLC's, and with the recent Ethernet revolution in control systems, this makes them very vulnerable.
The majority of control systems I have seen are completely unprotected once you get onto the LAN. Unfortunately there is an attitude that it will never happen to us.
I have no experience in big oil or in power stations, but I have seen this problem in some airport operations, and industrial automation in general.
Hardened automation devices are just not demanded of PLC manufacturers by their customers, as they are not aware of the risks.
Disclaimer: I've been out of the industry for a couple of years, but the industry is very slow moving, so I doubt much has changed.
Re:My view.. (Score:3, Interesting)
For example we deal with ship control systems, which you may think are about as isolated as you can get. But there is a big push to allow remote access for such things as predictive maintenance, performance monitoring, fault diagnosis(difficult to send an engineer to a platform a 1000 miles from land). Therefore we have been as paranoid as possible when designing the access, but its a tough job to second guess hackers(in the evil sense of the word)
Re:My view.. (Score:2, Interesting)